2018 US voter records offered for sale on hacking forum

Somebody is selling US voter registration databases on an English-language speaking dark web hacker forum and the offer comes with the promise they will be updated every week, Anomali and Intel 471 researchers have discovered.

Anomali Labs security researchers estimate that, all in all, they hold records of over 35 million voters, meaning: their full name, phone number, physical address and voting-related information. Apparently, they also include their previous voting history, too.

The researchers have reviewed a sample of the database records and are pretty confident that the data is valid.

They made sure to note that voter registration lists are not exactly secret and can be accessed by authorized persons such as political campaigns, journalists and academic researchers. Some voting registration data is even considered to be public records. But, there’s no doubt this data can be misused by malicious actors.

“With the November 2018 midterm elections only four weeks away (…) this type of information can facilitate criminal actions such as identity fraud or allow for false submissions of changes online to voter registrations, making some legitimate voters ineligible to cast ballots. In a voter identity theft scenario, fraudsters can cause disruptions to the electoral process through physical address changes, deletion of voter registrations, or requests for absentee ballots on behalf of the legitimate voter,” they explained.

Up-to-date data?

Certain forum participants have banded together and crowdfunded the money to buy the Kansas voter database, which has now been released to all registered members of the hacker forum.

They are also currently in the process of crowdfunding the acquisition of a second database, which will supposedly also be made accessible to the forum members.

But who’s the seller and how does he or she have access to these databases? The researchers “assess with moderate confidence that [the seller] may have persistent database access and/or contact with government officials from each state.”

“The seller indicates they receive weekly updates of voter registration data across the states and that they receive information via contacts within the state governments. Certain states require the seller to personally travel to locations in-state to receive the updated voter information. This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,” they explained.

Christy Wyatt, CEO of Dtex Systems, pointed out that threat actors frequently recruit and fool insiders into helping them to pull off data theft and abuse schemes.

“This research seems to indicate that insiders either knowingly or unwittingly helped the nefarious party to obtain voter information,” she said, and noted that government-sector research they conducted earlier this year revealed that 53 percent of agencies have been hit with an insider incident.

“Assessments we conducted for our 2018 insider threat intelligence report, which included the public sector, showed that 100 percent of organizations had malicious and negligent insider threats taking place,” she added.